AWS Security ChangesHomeSearch

AWS cloudhsm documentation change

Service: cloudhsm · 2026-04-19 · Documentation low

File: cloudhsm/latest/userguide/manage-keys-cloudhsm-cli-share.md

Summary

Added 'derive, or wrap' to the list of operations that users with shared keys cannot perform

Security assessment

This change clarifies security restrictions for shared keys in CloudHSM by explicitly stating that users with shared keys cannot derive or wrap keys. This enhances security documentation by providing more complete information about key access controls, but there's no evidence it addresses a specific security vulnerability.

Diff

diff --git a/cloudhsm/latest/userguide/manage-keys-cloudhsm-cli-share.md b/cloudhsm/latest/userguide/manage-keys-cloudhsm-cli-share.md
index ce21e19aa..4a92f8390 100644
--- a//cloudhsm/latest/userguide/manage-keys-cloudhsm-cli-share.md
+++ b//cloudhsm/latest/userguide/manage-keys-cloudhsm-cli-share.md
@@ -11 +11 @@ Example: Sharing and unsharing a keyRelated topics
-Use the commands in this topic to share and unshare keys in [CloudHSM CLI](./cloudhsm_cli.html). In AWS CloudHSM, the crypto user (CU) who creates the key owns it. The owner can use the **key share** and **key unshare** commands to share and unshare the key with other CUs. Users with whom the key is shared can use the key in cryptographic operations, but they cannot export the key, delete the key, or share it with other users.
+Use the commands in this topic to share and unshare keys in [CloudHSM CLI](./cloudhsm_cli.html). In AWS CloudHSM, the crypto user (CU) who creates the key owns it. The owner can use the **key share** and **key unshare** commands to share and unshare the key with other CUs. Users with whom the key is shared can use the key in cryptographic operations, but they cannot delete, export, share, unshare, derive, or wrap the key.